Merge "Fix kernel memory leaks in ipvs and ext4"

kernel/kernel-rt/centos/build_srpm.data

@@ -1,4 +1,4 @@
 COPY_LIST="files/*"
-TIS_PATCH_VER=1
+TIS_PATCH_VER=2
 BUILD_IS_BIG=11
 BUILD_IS_SLOW=12

kernel/kernel-rt/centos/meta_patches/Compile-issues.patch

@@ -1,33 +1,37 @@
-From d83caf51542ff89ffc70377d8a04d697d8fe09e3 Mon Sep 17 00:00:00 2001
+From d85ae09a0e333ba2c0b2630a1d4768655cacf481 Mon Sep 17 00:00:00 2001
+Message-Id: <d85ae09a0e333ba2c0b2630a1d4768655cacf481.1566591106.git.Jim.Somerville@windriver.com>
+In-Reply-To: <5d869ea9407975726a95d046391cd640b726ca93.1566591106.git.Jim.Somerville@windriver.com>
+References: <5d869ea9407975726a95d046391cd640b726ca93.1566591106.git.Jim.Somerville@windriver.com>
 From: Bin Yang <bin.yang@intel.com>
 Date: Wed, 31 Jul 2019 14:23:20 +0800
-Subject: [PATCH 3/3] Compile issues
+Subject: [PATCH 2/2] Compile issues
 
 Signed-off-by: Bin Yang <bin.yang@intel.com>
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
 ---
  SPECS/kernel-rt.spec | 8 ++++++++
  1 file changed, 8 insertions(+)
 
 diff --git a/SPECS/kernel-rt.spec b/SPECS/kernel-rt.spec
-index e94ec2f..e6e71e4 100644
+index f7aad95..29d3878 100644
 --- a/SPECS/kernel-rt.spec
 +++ b/SPECS/kernel-rt.spec
-@@ -420,6 +420,11 @@ Patch1028: turn-off-write-same-in-smartqpi-driver.patch
- Patch1029: restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch
- Patch1030: robustify-CFS-bandwidth-timer-locking.patch
- Patch1031: epoll-fix-use-after-free-in-eventpoll_release_file.patch
-+Patch1032: fix-compilation-issues.patch
+@@ -424,6 +424,11 @@ Patch1031: epoll-fix-use-after-free-in-eventpoll_release_file.patch
+ Patch1032: ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
+ Patch1033: rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
+ Patch1034: rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
++Patch1035: fix-compilation-issues.patch
 +# Fix CentOS 7.6 upgrade compile error
-+Patch1033: fix-CentOS-7.6-upgrade-compile-error.patch
++Patch1036: fix-CentOS-7.6-upgrade-compile-error.patch
 +# Compile fix for disabling CONFIG_MEMCG_KMEM
-+Patch1034: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch
++Patch1037: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch
  
  BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
  
-@@ -784,6 +789,9 @@ ApplyPatch turn-off-write-same-in-smartqpi-driver.patch
- ApplyPatch restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch
- ApplyPatch robustify-CFS-bandwidth-timer-locking.patch
- ApplyPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
+@@ -791,6 +796,9 @@ ApplyPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
+ ApplyPatch ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
+ ApplyPatch rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
+ ApplyPatch rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
 +ApplyPatch fix-compilation-issues.patch
 +ApplyPatch fix-CentOS-7.6-upgrade-compile-error.patch
 +ApplyPatch compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch
@@ -35,5 +39,5 @@ index e94ec2f..e6e71e4 100644
  # move off upstream version mechanism
  if [ -e localversion-rt ]; then
 -- 
-2.7.4
+1.8.3.1
 

kernel/kernel-rt/centos/meta_patches/Kernel-source-patches-for-TiC.patch

@@ -1,18 +1,20 @@
-From 2c23df3f032c68046a309e5b9f1d321438905e85 Mon Sep 17 00:00:00 2001
+From 5d869ea9407975726a95d046391cd640b726ca93 Mon Sep 17 00:00:00 2001
+Message-Id: <5d869ea9407975726a95d046391cd640b726ca93.1566591106.git.Jim.Somerville@windriver.com>
 From: Bin Yang <bin.yang@intel.com>
 Date: Mon, 29 Jul 2019 11:48:49 -0400
-Subject: [PATCH 2/3] Kernel source patches for TiC
+Subject: [PATCH 1/2] Kernel source patches for TiC
 
 Signed-off-by: Bin Yang <bin.yang@intel.com>
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
 ---
- SPECS/kernel-rt.spec | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 66 insertions(+)
+ SPECS/kernel-rt.spec | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 73 insertions(+)
 
 diff --git a/SPECS/kernel-rt.spec b/SPECS/kernel-rt.spec
-index efc89cd..e94ec2f 100644
+index adffde2..f7aad95 100644
 --- a/SPECS/kernel-rt.spec
 +++ b/SPECS/kernel-rt.spec
-@@ -386,6 +386,40 @@ Source1000: modprobe-dccp-blacklist.conf
+@@ -386,6 +386,44 @@ Source1000: modprobe-dccp-blacklist.conf
  
  # Empty final patch file to facilitate testing of kernel patches
  Patch999999: linux-kernel-test.patch
@@ -50,10 +52,14 @@ index efc89cd..e94ec2f 100644
 +Patch1029: restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch
 +Patch1030: robustify-CFS-bandwidth-timer-locking.patch
 +Patch1031: epoll-fix-use-after-free-in-eventpoll_release_file.patch
++# Fix three potential kernel memory leaks
++Patch1032: ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
++Patch1033: rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
++Patch1034: rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
  
  BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
  
-@@ -718,6 +752,38 @@ cp %{SOURCE38} .
+@@ -718,6 +756,41 @@ cp %{SOURCE38} .
  
  ## Apply Patches here
  ApplyPatch linux-kernel-test.patch
@@ -89,9 +95,12 @@ index efc89cd..e94ec2f 100644
 +ApplyPatch restrict-iSCSI-kthreads-to-CPUs-in-cpu_kthread_mask.patch
 +ApplyPatch robustify-CFS-bandwidth-timer-locking.patch
 +ApplyPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
++ApplyPatch ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
++ApplyPatch rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
++ApplyPatch rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
  
  # move off upstream version mechanism
  if [ -e localversion-rt ]; then
 -- 
-2.7.4
+1.8.3.1
 

kernel/kernel-rt/centos/patches/ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch

@@ -0,0 +1,57 @@
+From fdb837fb87ff4907436dfab16709b64d6c3488fd Mon Sep 17 00:00:00 2001
+Message-Id: <fdb837fb87ff4907436dfab16709b64d6c3488fd.1566590430.git.Jim.Somerville@windriver.com>
+From: Tommi Rantala <tt.rantala@gmail.com>
+Date: Thu, 7 May 2015 15:12:21 +0300
+Subject: [PATCH 1/3] ipvs: fix memory leak in ip_vs_ctl.c
+
+[ commit f30bf2a5cac6c60ab366c4bc6db913597bf4d6ab in Linus' repo ]
+
+Fix memory leak introduced in commit a0840e2e165a ("IPVS: netns,
+ip_vs_ctl local vars moved to ipvs struct."):
+
+unreferenced object 0xffff88005785b800 (size 2048):
+  comm "(-localed)", pid 1434, jiffies 4294755650 (age 1421.089s)
+  hex dump (first 32 bytes):
+    bb 89 0b 83 ff ff ff ff b0 78 f0 4e 00 88 ff ff  .........x.N....
+    04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00  ................
+  backtrace:
+    [<ffffffff8262ea8e>] kmemleak_alloc+0x4e/0xb0
+    [<ffffffff811fba74>] __kmalloc_track_caller+0x244/0x430
+    [<ffffffff811b88a0>] kmemdup+0x20/0x50
+    [<ffffffff823276b7>] ip_vs_control_net_init+0x1f7/0x510
+    [<ffffffff8231d630>] __ip_vs_init+0x100/0x250
+    [<ffffffff822363a1>] ops_init+0x41/0x190
+    [<ffffffff82236583>] setup_net+0x93/0x150
+    [<ffffffff82236cc2>] copy_net_ns+0x82/0x140
+    [<ffffffff810ab13d>] create_new_namespaces+0xfd/0x190
+    [<ffffffff810ab49a>] unshare_nsproxy_namespaces+0x5a/0xc0
+    [<ffffffff810833e3>] SyS_unshare+0x173/0x310
+    [<ffffffff8265cbd7>] system_call_fastpath+0x12/0x6f
+    [<ffffffffffffffff>] 0xffffffffffffffff
+
+Fixes: a0840e2e165a ("IPVS: netns, ip_vs_ctl local vars moved to ipvs struct.")
+Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 02409f3..3738b84 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -3843,6 +3843,9 @@ static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net)
+ 	cancel_delayed_work_sync(&ipvs->defense_work);
+ 	cancel_work_sync(&ipvs->defense_work.work);
+ 	unregister_net_sysctl_table(ipvs->sysctl_hdr);
++
++	if (!net_eq(net, &init_net))
++		kfree(ipvs->sysctl_tbl);
+ }
+ 
+ #else
+-- 
+1.8.3.1
+

kernel/kernel-rt/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch

@@ -0,0 +1,67 @@
+From a16765613c5cb9b6cb86bc92d21030be124b2dde Mon Sep 17 00:00:00 2001
+Message-Id: <a16765613c5cb9b6cb86bc92d21030be124b2dde.1566590430.git.Jim.Somerville@windriver.com>
+In-Reply-To: <fdb837fb87ff4907436dfab16709b64d6c3488fd.1566590430.git.Jim.Somerville@windriver.com>
+References: <fdb837fb87ff4907436dfab16709b64d6c3488fd.1566590430.git.Jim.Somerville@windriver.com>
+From: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
+Date: Fri, 9 Feb 2018 11:52:14 +0300
+Subject: [PATCH 2/3] rh/ext4: release leaked posix acl in ext4_acl_chmod
+
+[ commit b85d6be0b743a1768b8456d36b52960858fbaa67 in OpenVZ's vzkernel repo ]
+
+Note: only rh7-3.10.0-693.17.1.el7-based kernels are affected.
+I.e. starting from rh7-3.10.0-693.17.1.vz7.43.1.
+
+Posix acl is used to convert of an extended attribute, provided by user to ext4
+attributes. In particular to i_mode in case of ACL_TYPE_ACCESS request.
+IOW, this object is allocated, used for convertion, not stored anywhere and
+must be freed.
+
+However posix_acl_update_mode() can zerofy the pointer to support
+ext4_set_acl() logic, but then the object is leaked.  So, fix it by releasing
+new temporary pointer with the same value instead of acl pointer.
+
+In scope of https://jira.sw.ru/browse/PSBM-81384
+
+RHEL bug URL: https://bugzilla.redhat.com/show_bug.cgi?id=1543020
+
+Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
+Acked-by: Dmitry Monakhov <dmonakhov@openvz.org>
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
+---
+ fs/ext4/acl.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
+index 917e819..fce029f 100644
+--- a/fs/ext4/acl.c
++++ b/fs/ext4/acl.c
+@@ -297,7 +297,7 @@ cleanup:
+ int
+ ext4_acl_chmod(struct inode *inode)
+ {
+-	struct posix_acl *acl;
++	struct posix_acl *acl, *real_acl;
+ 	handle_t *handle;
+ 	int retries = 0;
+ 	int error;
+@@ -315,6 +315,8 @@ ext4_acl_chmod(struct inode *inode)
+ 	error = posix_acl_chmod(&acl, GFP_KERNEL, inode->i_mode);
+ 	if (error)
+ 		return error;
++
++	real_acl = acl;
+ retry:
+ 	handle = ext4_journal_start(inode, EXT4_HT_XATTR,
+ 				    ext4_jbd2_credits_xattr(inode));
+@@ -341,7 +343,7 @@ out_stop:
+ 	    ext4_should_retry_alloc(inode->i_sb, &retries))
+ 		goto retry;
+ out:
+-	posix_acl_release(acl);
++	posix_acl_release(real_acl);
+ 	return error;
+ }
+ 
+-- 
+1.8.3.1
+

kernel/kernel-rt/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch

@@ -0,0 +1,79 @@
+From 916c45d11310d03a4a76bd80a40f0c6a767ba39e Mon Sep 17 00:00:00 2001
+Message-Id: <916c45d11310d03a4a76bd80a40f0c6a767ba39e.1566590430.git.Jim.Somerville@windriver.com>
+In-Reply-To: <fdb837fb87ff4907436dfab16709b64d6c3488fd.1566590430.git.Jim.Somerville@windriver.com>
+References: <fdb837fb87ff4907436dfab16709b64d6c3488fd.1566590430.git.Jim.Somerville@windriver.com>
+From: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
+Date: Fri, 9 Feb 2018 11:52:15 +0300
+Subject: [PATCH 3/3] rh/ext4: release leaked posix acl in ext4_xattr_set_acl
+
+[ commit b762d904ada70f239f1c2d2d70c4a64cd04c8ade in OpenVZ's vzkernel repo ]
+
+Note: only rh7-3.10.0-693.17.1.el7-based kernels are affcted.
+I.e. starting from rh7-3.10.0-693.17.1.vz7.43.1.
+
+Posix acl is used to convert of an extended attribute, provided by user to ext4
+attributes. In particular to i_mode in case of ACL_TYPE_ACCESS request.
+
+IOW, this object is allocated, used for convertion, not stored anywhere and
+must be freed.
+
+However posix_acl_update_mode() can zerofy the pointer to support
+ext4_set_acl() logic, but then the object is leaked. So, fix it by releasing
+new temporary pointer with the same value instead of acl pointer.
+
+https://jira.sw.ru/browse/PSBM-81384
+
+RHEL bug URL: https://bugzilla.redhat.com/show_bug.cgi?id=1543020
+
+v2: Added affected kernel version + RHEL bug URL
+
+Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
+Acked-by: Dmitry Monakhov <dmonakhov@openvz.org>
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
+---
+ fs/ext4/acl.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
+index fce029f..046b338 100644
+--- a/fs/ext4/acl.c
++++ b/fs/ext4/acl.c
+@@ -405,7 +405,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
+ {
+ 	struct inode *inode = dentry->d_inode;
+ 	handle_t *handle;
+-	struct posix_acl *acl;
++	struct posix_acl *acl, *real_acl;
+ 	int error, retries = 0;
+ 	int update_mode = 0;
+ 	umode_t mode = inode->i_mode;
+@@ -418,7 +418,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
+ 		return -EPERM;
+ 
+ 	if (value) {
+-		acl = posix_acl_from_xattr(&init_user_ns, value, size);
++		acl = real_acl = posix_acl_from_xattr(&init_user_ns, value, size);
+ 		if (IS_ERR(acl))
+ 			return PTR_ERR(acl);
+ 		else if (acl) {
+@@ -427,7 +427,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
+ 				goto release_and_out;
+ 		}
+ 	} else
+-		acl = NULL;
++		acl = real_acl = NULL;
+ 
+ retry:
+ 	handle = ext4_journal_start(inode, EXT4_HT_XATTR,
+@@ -454,7 +454,7 @@ out_stop:
+ 		goto retry;
+ 
+ release_and_out:
+-	posix_acl_release(acl);
++	posix_acl_release(real_acl);
+ 	return error;
+ }
+ 
+-- 
+1.8.3.1
+

kernel/kernel-std/centos/build_srpm.data

@@ -1,4 +1,4 @@
 COPY_LIST="files/*"
-TIS_PATCH_VER=1
+TIS_PATCH_VER=2
 BUILD_IS_BIG=11
 BUILD_IS_SLOW=12

kernel/kernel-std/centos/meta_patches/Compile-issues.patch

@@ -1,34 +1,38 @@
-From a38da63c3677f78c33b3896699788bd5eb77116e Mon Sep 17 00:00:00 2001
+From f9a5a49c9daac827d94cd562c0c6f100388fd798 Mon Sep 17 00:00:00 2001
+Message-Id: <f9a5a49c9daac827d94cd562c0c6f100388fd798.1566587341.git.Jim.Somerville@windriver.com>
+In-Reply-To: <ac67546ccbecd3ee18145be31d87d7253048adda.1566587341.git.Jim.Somerville@windriver.com>
+References: <ac67546ccbecd3ee18145be31d87d7253048adda.1566587341.git.Jim.Somerville@windriver.com>
 From: "zhao.shuai" <zhaos@neusoft.com>
 Date: Tue, 6 Aug 2019 16:18:04 +0800
-Subject: [PATCH 3/3] Compile issues
+Subject: [PATCH 2/2] Compile issues
 
 Signed-off-by: zhao.shuai <zhaos@neusoft.com>
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
 ---
  SPECS/kernel.spec | 9 +++++++++
  1 file changed, 9 insertions(+)
 
 diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
-index 418cdd0..a5de0aa 100644
+index d5df4a4..1d765ed 100644
 --- a/SPECS/kernel.spec
 +++ b/SPECS/kernel.spec
-@@ -491,6 +491,12 @@ Patch40025: dpt_i2o-fix-build-warning.patch
- Patch40026: turn-off-write-same-in-smartqpi-driver.patch
- # Fix use-after-free in eventpoll_release_file
- Patch40027: epoll-fix-use-after-free-in-eventpoll_release_file.patch
+@@ -495,6 +495,12 @@ Patch40027: epoll-fix-use-after-free-in-eventpoll_release_file.patch
+ Patch40028: ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
+ Patch40029: rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
+ Patch40030: rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
 +# Fix assorted compilation issues
-+Patch40028: fix-compilation-issues.patch
++Patch40031: fix-compilation-issues.patch
 +# Fix CentOS 7.6 upgrade compile error
-+Patch40029: fix-CentOS-7.6-upgrade-compile-error.patch
++Patch40032: fix-CentOS-7.6-upgrade-compile-error.patch
 +# Compile fix for disabling CONFIG_MEMCG_KMEM
-+Patch40030: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch
++Patch40033: compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch
  
  BuildRoot: %{_tmppath}/kernel-%{KVRA}-root
  
-@@ -862,6 +868,9 @@ ApplyOptionalPatch aic94xx-Skip-reading-user-settings-if-flash-is-not-f.patch
- ApplyOptionalPatch dpt_i2o-fix-build-warning.patch
- ApplyOptionalPatch turn-off-write-same-in-smartqpi-driver.patch
- ApplyOptionalPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
+@@ -869,6 +875,9 @@ ApplyOptionalPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
+ ApplyOptionalPatch ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
+ ApplyOptionalPatch rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
+ ApplyOptionalPatch rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
 +ApplyOptionalPatch fix-compilation-issues.patch
 +ApplyOptionalPatch fix-CentOS-7.6-upgrade-compile-error.patch
 +ApplyOptionalPatch compile-fix-for-disabling-CONFIG_MEMCG_KMEM.patch

kernel/kernel-std/centos/meta_patches/Kernel-source-patches-for-TiC.patch

@@ -1,18 +1,20 @@
-From e9f7eeea6002b26912b6434c324ac19c2987afe8 Mon Sep 17 00:00:00 2001
+From ac67546ccbecd3ee18145be31d87d7253048adda Mon Sep 17 00:00:00 2001
+Message-Id: <ac67546ccbecd3ee18145be31d87d7253048adda.1566587341.git.Jim.Somerville@windriver.com>
 From: "zhao.shuai" <zhaos@neusoft.com>
 Date: Mon, 5 Aug 2019 17:55:01 +0800
-Subject: [PATCH 2/3] Kernel-source-patches-for-TiC
+Subject: [PATCH 1/2] Kernel-source-patches-for-TiC
 
 Signed-off-by: zhao.shuai <zhaos@neusoft.com>
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
 ---
- SPECS/kernel.spec | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 61 insertions(+)
+ SPECS/kernel.spec | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 68 insertions(+)
 
 diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
-index e42177e..418cdd0 100644
+index e42177e..d5df4a4 100644
 --- a/SPECS/kernel.spec
 +++ b/SPECS/kernel.spec
-@@ -460,6 +460,38 @@ Patch1002: debrand-rh-i686-cpu.patch
+@@ -460,6 +460,42 @@ Patch1002: debrand-rh-i686-cpu.patch
  Source30000: kernel-3.10.0-x86_64.config.tis_extra
  Source30001: ima_signing_key.pub
  
@@ -47,11 +49,15 @@ index e42177e..418cdd0 100644
 +Patch40026: turn-off-write-same-in-smartqpi-driver.patch
 +# Fix use-after-free in eventpoll_release_file
 +Patch40027: epoll-fix-use-after-free-in-eventpoll_release_file.patch
++# Fix three potential kernel memory leaks
++Patch40028: ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
++Patch40029: rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
++Patch40030: rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
 +
  BuildRoot: %{_tmppath}/kernel-%{KVRA}-root
  
  %description
-@@ -802,6 +834,35 @@ ApplyOptionalPatch debrand-single-cpu.patch
+@@ -802,6 +838,38 @@ ApplyOptionalPatch debrand-single-cpu.patch
  ApplyOptionalPatch debrand-rh_taint.patch
  ApplyOptionalPatch debrand-rh-i686-cpu.patch
  
@@ -83,6 +89,9 @@ index e42177e..418cdd0 100644
 +ApplyOptionalPatch dpt_i2o-fix-build-warning.patch
 +ApplyOptionalPatch turn-off-write-same-in-smartqpi-driver.patch
 +ApplyOptionalPatch epoll-fix-use-after-free-in-eventpoll_release_file.patch
++ApplyOptionalPatch ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch
++ApplyOptionalPatch rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch
++ApplyOptionalPatch rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch
 +
  # Any further pre-build tree manipulations happen here.
  

kernel/kernel-std/centos/patches/ipvs-fix-memory-leak-in-ip_vs_ctl.c.patch

@@ -0,0 +1,57 @@
+From e3887b1e84e274be02f992e034e0dba1f53925b6 Mon Sep 17 00:00:00 2001
+Message-Id: <e3887b1e84e274be02f992e034e0dba1f53925b6.1566585829.git.Jim.Somerville@windriver.com>
+From: Tommi Rantala <tt.rantala@gmail.com>
+Date: Thu, 7 May 2015 15:12:21 +0300
+Subject: [PATCH 1/3] ipvs: fix memory leak in ip_vs_ctl.c
+
+[ commit f30bf2a5cac6c60ab366c4bc6db913597bf4d6ab in Linus' repo ]
+
+Fix memory leak introduced in commit a0840e2e165a ("IPVS: netns,
+ip_vs_ctl local vars moved to ipvs struct."):
+
+unreferenced object 0xffff88005785b800 (size 2048):
+  comm "(-localed)", pid 1434, jiffies 4294755650 (age 1421.089s)
+  hex dump (first 32 bytes):
+    bb 89 0b 83 ff ff ff ff b0 78 f0 4e 00 88 ff ff  .........x.N....
+    04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00  ................
+  backtrace:
+    [<ffffffff8262ea8e>] kmemleak_alloc+0x4e/0xb0
+    [<ffffffff811fba74>] __kmalloc_track_caller+0x244/0x430
+    [<ffffffff811b88a0>] kmemdup+0x20/0x50
+    [<ffffffff823276b7>] ip_vs_control_net_init+0x1f7/0x510
+    [<ffffffff8231d630>] __ip_vs_init+0x100/0x250
+    [<ffffffff822363a1>] ops_init+0x41/0x190
+    [<ffffffff82236583>] setup_net+0x93/0x150
+    [<ffffffff82236cc2>] copy_net_ns+0x82/0x140
+    [<ffffffff810ab13d>] create_new_namespaces+0xfd/0x190
+    [<ffffffff810ab49a>] unshare_nsproxy_namespaces+0x5a/0xc0
+    [<ffffffff810833e3>] SyS_unshare+0x173/0x310
+    [<ffffffff8265cbd7>] system_call_fastpath+0x12/0x6f
+    [<ffffffffffffffff>] 0xffffffffffffffff
+
+Fixes: a0840e2e165a ("IPVS: netns, ip_vs_ctl local vars moved to ipvs struct.")
+Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 02409f3..3738b84 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -3843,6 +3843,9 @@ static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net)
+ 	cancel_delayed_work_sync(&ipvs->defense_work);
+ 	cancel_work_sync(&ipvs->defense_work.work);
+ 	unregister_net_sysctl_table(ipvs->sysctl_hdr);
++
++	if (!net_eq(net, &init_net))
++		kfree(ipvs->sysctl_tbl);
+ }
+ 
+ #else
+-- 
+1.8.3.1
+

kernel/kernel-std/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_acl_chmod.patch

@@ -0,0 +1,67 @@
+From 598c88638d4f46a38bf3d0669bc042c1ea1e4605 Mon Sep 17 00:00:00 2001
+Message-Id: <598c88638d4f46a38bf3d0669bc042c1ea1e4605.1566585829.git.Jim.Somerville@windriver.com>
+In-Reply-To: <e3887b1e84e274be02f992e034e0dba1f53925b6.1566585829.git.Jim.Somerville@windriver.com>
+References: <e3887b1e84e274be02f992e034e0dba1f53925b6.1566585829.git.Jim.Somerville@windriver.com>
+From: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
+Date: Fri, 9 Feb 2018 11:52:14 +0300
+Subject: [PATCH 2/3] rh/ext4: release leaked posix acl in ext4_acl_chmod
+
+[ commit b85d6be0b743a1768b8456d36b52960858fbaa67 in OpenVZ's vzkernel repo ]
+
+Note: only rh7-3.10.0-693.17.1.el7-based kernels are affected.
+I.e. starting from rh7-3.10.0-693.17.1.vz7.43.1.
+
+Posix acl is used to convert of an extended attribute, provided by user to ext4
+attributes. In particular to i_mode in case of ACL_TYPE_ACCESS request.
+IOW, this object is allocated, used for convertion, not stored anywhere and
+must be freed.
+
+However posix_acl_update_mode() can zerofy the pointer to support
+ext4_set_acl() logic, but then the object is leaked.  So, fix it by releasing
+new temporary pointer with the same value instead of acl pointer.
+
+In scope of https://jira.sw.ru/browse/PSBM-81384
+
+RHEL bug URL: https://bugzilla.redhat.com/show_bug.cgi?id=1543020
+
+Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
+Acked-by: Dmitry Monakhov <dmonakhov@openvz.org>
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
+---
+ fs/ext4/acl.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
+index 917e819..fce029f 100644
+--- a/fs/ext4/acl.c
++++ b/fs/ext4/acl.c
+@@ -297,7 +297,7 @@ cleanup:
+ int
+ ext4_acl_chmod(struct inode *inode)
+ {
+-	struct posix_acl *acl;
++	struct posix_acl *acl, *real_acl;
+ 	handle_t *handle;
+ 	int retries = 0;
+ 	int error;
+@@ -315,6 +315,8 @@ ext4_acl_chmod(struct inode *inode)
+ 	error = posix_acl_chmod(&acl, GFP_KERNEL, inode->i_mode);
+ 	if (error)
+ 		return error;
++
++	real_acl = acl;
+ retry:
+ 	handle = ext4_journal_start(inode, EXT4_HT_XATTR,
+ 				    ext4_jbd2_credits_xattr(inode));
+@@ -341,7 +343,7 @@ out_stop:
+ 	    ext4_should_retry_alloc(inode->i_sb, &retries))
+ 		goto retry;
+ out:
+-	posix_acl_release(acl);
++	posix_acl_release(real_acl);
+ 	return error;
+ }
+ 
+-- 
+1.8.3.1
+

kernel/kernel-std/centos/patches/rh-ext4-release-leaked-posix-acl-in-ext4_xattr_set_a.patch

@@ -0,0 +1,79 @@
+From 190fe153e1def764a02d7cb3438f5bc7c0402e48 Mon Sep 17 00:00:00 2001
+Message-Id: <190fe153e1def764a02d7cb3438f5bc7c0402e48.1566585829.git.Jim.Somerville@windriver.com>
+In-Reply-To: <e3887b1e84e274be02f992e034e0dba1f53925b6.1566585829.git.Jim.Somerville@windriver.com>
+References: <e3887b1e84e274be02f992e034e0dba1f53925b6.1566585829.git.Jim.Somerville@windriver.com>
+From: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
+Date: Fri, 9 Feb 2018 11:52:15 +0300
+Subject: [PATCH 3/3] rh/ext4: release leaked posix acl in ext4_xattr_set_acl
+
+[ commit b762d904ada70f239f1c2d2d70c4a64cd04c8ade in OpenVZ's vzkernel repo ]
+
+Note: only rh7-3.10.0-693.17.1.el7-based kernels are affcted.
+I.e. starting from rh7-3.10.0-693.17.1.vz7.43.1.
+
+Posix acl is used to convert of an extended attribute, provided by user to ext4
+attributes. In particular to i_mode in case of ACL_TYPE_ACCESS request.
+
+IOW, this object is allocated, used for convertion, not stored anywhere and
+must be freed.
+
+However posix_acl_update_mode() can zerofy the pointer to support
+ext4_set_acl() logic, but then the object is leaked. So, fix it by releasing
+new temporary pointer with the same value instead of acl pointer.
+
+https://jira.sw.ru/browse/PSBM-81384
+
+RHEL bug URL: https://bugzilla.redhat.com/show_bug.cgi?id=1543020
+
+v2: Added affected kernel version + RHEL bug URL
+
+Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
+Acked-by: Dmitry Monakhov <dmonakhov@openvz.org>
+Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
+---
+ fs/ext4/acl.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
+index fce029f..046b338 100644
+--- a/fs/ext4/acl.c
++++ b/fs/ext4/acl.c
+@@ -405,7 +405,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
+ {
+ 	struct inode *inode = dentry->d_inode;
+ 	handle_t *handle;
+-	struct posix_acl *acl;
++	struct posix_acl *acl, *real_acl;
+ 	int error, retries = 0;
+ 	int update_mode = 0;
+ 	umode_t mode = inode->i_mode;
+@@ -418,7 +418,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
+ 		return -EPERM;
+ 
+ 	if (value) {
+-		acl = posix_acl_from_xattr(&init_user_ns, value, size);
++		acl = real_acl = posix_acl_from_xattr(&init_user_ns, value, size);
+ 		if (IS_ERR(acl))
+ 			return PTR_ERR(acl);
+ 		else if (acl) {
+@@ -427,7 +427,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
+ 				goto release_and_out;
+ 		}
+ 	} else
+-		acl = NULL;
++		acl = real_acl = NULL;
+ 
+ retry:
+ 	handle = ext4_journal_start(inode, EXT4_HT_XATTR,
+@@ -454,7 +454,7 @@ out_stop:
+ 		goto retry;
+ 
+ release_and_out:
+-	posix_acl_release(acl);
++	posix_acl_release(real_acl);
+ 	return error;
+ }
+ 
+-- 
+1.8.3.1
+